In-circuit security system and methods for controlling access to and use of sensitive data

ABSTRACT

A first electronic device comprises a transmitter, a secure processor, a secure memory, and one or more biometric sensors. The first electronic device is configured to communicate securely via the transmitter with a second electronic device that is separate from the first electronic device. The first electronic device receives first biometric information of a user via the one or more biometric sensors. In response to receiving the first biometric information, the first electronic device compares, via the secure processor, the first biometric information to second biometric information stored in the secure memory; and determines, based on the comparison, whether the user meets authentication criteria. In accordance with a determination that the user meets authentication criteria, the first electronic device generates a verification signal that, when received by the second electronic device, grants access to operate the second electronic device, and transmits the verification signal to the second electronic device. In accordance with a determination that the user does not meet the authentication criteria, the first electronic device forgoes generating the verification signal and transmitting the verification signal to the second electronic device.

RELATED U.S. APPLICATION DATA

This application is a continuation of U.S. patent application Ser. No.14/716,766 (now U.S. Pat. No. 9,923,884), filed May 19, 2015, entitled“An In-Circuit Security System And Methods For Controlling Access To AndUse Of Sensitive Data,” which is a continuation of U.S. patentapplication Ser. No. 13/947,313 (now U.S. Pat. No. 9,124,930), filed onJul. 22, 2013, entitled “An In-Circuit Security System And Methods ForControlling Access To And Use Of Sensitive Data,” which is acontinuation of U.S. patent application Ser. No. 12/555,480 (now U.S.Pat. No. 8,495,382), filed Sep. 8, 2009, entitled “An In-CircuitSecurity System And Methods For Controlling Access To And Use OfSensitive Data,” which is a divisional of U.S. patent application Ser.No. 10/858,287 (now U.S. Pat. No. 7,587,611), filed Jun. 1, 2004,entitled “An In-Circuit Security System And Methods For ControllingAccess To And Use Of Sensitive Data,” which claims priority under U.S.C.§ 119(e) of provisional patent application Ser. No. 60/474,750, filedMay 30, 2003, entitled “Secure Biometric Identification Devices andSystems for Various Applications,” each of which is hereby incorporatedby reference in its entirety.

BACKGROUND OF THE INVENTION Field of the Invention

The invention disclosed herein relates to the security of sensitive datastored, processed and distributed using electronic circuits. Moreparticularly, the invention relates to the identification of individualsprior to accessing/using data, and the execution of security controlsupon unauthorized attempts to access/use said data.

In recent years there has been an explosion of electronic devices thatindividuals may use for storing and transmitting sensitive data. In alow-security example, portable devices like a Palm™ or BlackBerryhandled computer typically contain software for e-mail, along withoptions for storing credit cards, schedules, and other data. Most peoplewish to protect this information, but most handheld devices rely ontheir operating system to secure data. Unfortunately, the most commonoperating systems for these handheld computers were not designed withsecurity as the main goal, and retrofitting basic security mechanismshas been clumsy.

A growing number of electronic devices, such as smart cards, areintended to specifically identify and authenticate users using thepublic key infrastructure, which requires secure storage of privatekeys. These devices are common in building security; for example, anindividual with proper authorization to access a facility is assigned asmart card and an asymmetric key pair. A certificate authority generatesa digital certificate for the public key, which is stored in the smartcard. The private key is also stored on the smart card. When theindividual places his smart card in the reader at the access point ofthe facility, the card transmits its digital certificate, and the readerchallenges the card to encrypt a supplied string with the individual'sprivate key. The reader obtains the public key out of the digitalcertificate and decrypts the private key-encrypted string to verify thatthe keys are related. This has an inherent problem because there is noguarantee that the individual using the private key is the assignedowner of the smart card. Furthermore, it is fairly simple for anexperienced attacker to gain access to keys stored on the card.

Some handheld devices, such as Hewlett Packard's iPAQ PocketPC h5450,include biometric sensors for improved personal identification beforeallowing access to sensitive data. An individual possessing this deviceis instructed to enroll one or more of his fingerprints into thedevice's software. The enrolled fingerprint can be used as the solepassword or as an alternative to a typed password. This type of devicecan be a substantial improvement on traditional data-access methods,because the biometric can be definitively tied to a single individual.However, if the sensitive data is stored or transmitted insecurely, thebiometric authentication does not substantially hinder an attacker fromprobing the memory and compromising it.

These concerns have contributed to the marketing of products billed as‘secure memory’ or ‘secure processor’. These products are typicallyconstructed with varying degrees of security; one lower degree isconsidered ‘tamper-evident’, in which an unskilled observer would seethat someone had attempted to maliciously gain access to secured data. Ahigher level is ‘tamper-resistant’, in which the product activelyresists tampering by use of a self-destruct mechanism, an impermeablesubstance that coats the components storing sensitive data such as apolymer-based coating or other so-called “conformal coating”, or someother process. Furthermore, these products may encrypt input/outputlines, mislabel parts, and perform other types of obfuscation.

DESCRIPTION OF THE RELATED ART

U.S. Pat. No. 5,533,123 to Force, et al., discloses programmabledistributed personal security inventions. The patent teaches a “SecuredProcessing Unit” (“SPU”) comprising an “SPU chip” and a microprocessordesigned especially for secure data processing. The invention integrateskeys, encryption and decryption engines, and algorithms in the SPU ofthe invention. Purportedly, the security process is portable and easilydistributed across physical boundaries. The invention is based uponthree interdependent subsystems. The first subsystem of the invention isa detector subsystem, which alerts an SPU to the existence and to thecharacter of a security attack. A second subsystem is a filter subsystemthat correlates data from multiple detectors, then assesses the severityof the attack against the risk to the SPU's integrity, both to itssecret data and to the design of the SPU itself. A third subsystem is aresponse subsystem for generating responses, or countermeasures,calculated by the filters to be most appropriate under thecircumstances, in order to deal with the attack(s) detected. Force doesnot disclose identity credential verification within the SPU.

U.S. Pat. No. 5,825,878 to Takahashi discloses a secure embedded memorymanagement unit for a microprocessor. A microprocessor memory managementapparatus is used for encrypted instruction and data transfer from anexternal memory. Physical security is obtained by embedding the directmemory access controller on the same chip with a microprocessor core, aninternal memory, and encryption/decryption logic. Data transfer to andfrom an external memory takes place between the external memory and thememory controller of the memory management unit. All firmware to andfrom the external memory is handled on a page-by-page basis. Since allof the processing takes place on buses internal to the chip, detectionof clear unencrypted instructions and data is prevented. Takahashi doesnot disclose any capability, anticipation, intention, or provision forincluding identity credential verification on the management unit orwithin the microprocessor core.

U.S. Pat. No. 5,832,207 to Little, et al., teaches a secure moduleincluding a microprocessor and a co-processor. The electronic module isprovided with at least one microprocessor and a co-processor deployedinto a single integrated circuit. The electronic module may be containedin a small form factor housing. The electronic module provides securebi-directional data communication via a data bus. The electronic modulemay include an integrated circuit including a microprocessor and aco-processor adapted to handle 1,024-bit modulo mathematics primarilyaimed at RSA calculations. The electronic module is preferably containedin a small token-sized metallic container. The module preferablycommunicates via a single wire data bus using a one-wire protocol.Little et al. does not disclose personal identification systems.

U.S. Pat. No. 5,894,550 to Thireit discloses a method of implementing asecure program in a microprocessor card, and a microprocessor cardincluding a secure program. The invention claims that a program can bemade secure relative to a CPU. The invention accomplishes this bystoring in a first memory zone predetermined address functions that aredirectly executable by the CPU. The first memory zone is thenwrite-protected, then the program is stored in a second memory zone inthe form of a series of instructions that are executable within thesecond memory zone or that activate functions contained in the firstmemory zone.

U.S. Pat. Nos. 5,481,265, 5,729,220, 6,201,484 and 6,441,770 to Russelldetail a handheld device used to authenticate persons and said device toremote computer systems. The invention further includes a “kill switch”or “kill signal” enabling the computer system to remotely disable thehandheld device and restrict further emissions. However, the system isprimarily targeted at local area network applications and does notanticipate or suggestion broader applications.

BRIEF SUMMARY OF THE INVENTION

The invention disclosed herein is an in-circuit security system forelectronic devices. The in-circuit security system incorporates identitycredential verification, secure data and instruction storage, and securedata transmission capabilities. It comprises a single semiconductorchip, lowering component cost and reducing board space. The in-circuitsecurity system chip is secured using mechanisms for preventinginformation tampering or eavesdropping, such as the addition of oxygenreactive layers. This invention also incorporates means for establishingsecurity settings and profiles for the in-circuit security system andenrolled individuals. The in-circuit security system can be used in avariety of electronic devices, including handheld computers, securefacility keys, vehicle operation/ignition systems, and digital rightsmanagement.

BRIEF DESCRIPTION OF DRAWINGS Master Reference Numeral List

FIG. 1: Sample embodiment of in-circuit security system components

-   -   100 In-circuit security system    -   101 Processor    -   102 Memory    -   103 Identity credential verification subsystem    -   104 Cryptographic subsystem    -   105 Real-time clock    -   106 Power source (OPTIONAL)    -   107 Transceiver (OPTIONAL)    -   108 Random number generator    -   110 Connection to identity credential sensor    -   111 Connection to peripheral components    -   112 Connection to antenna or cables

FIG. 2: Handheld computer with the in-circuit security system

-   -   100 In-circuit security system    -   201 Non-secure processor    -   202 Non-secure memory    -   203 Fingerprint sensor    -   204 Antenna    -   213 Display    -   214 Keypad

FIG. 3: Electronic lock mechanism with the in-circuit security system

-   -   100 In-circuit security system    -   313 LEDs    -   314 Electronic lock mechanism

FIG. 1 is a schematic view of a sample embodiment of the in-circuitsecurity system.

FIG. 2 is a schematic view of the components of a simple handheldcomputer using the in-circuit security system.

FIG. 3 is a schematic view of the components of an electronic lockmechanism using the in-circuit security system.

FIGS. 4-5 depict embodiments of a biometric personal identificationdevice (BPID) for remoted controlled applications.

DETAILED DESCRIPTION OF THE INVENTION

The invention described herein is an in-circuit security system by whichpre-enrolled individuals may access sensitive data or perform actions onsensitive data in an environment that is fully monitored and protected.The in-circuit security system requires full authentication ofindividuals and can perform a variety of programmed responses in theevent that pre-established authentication standards are not met. Thein-circuit security system includes secure transmission of sensitivedata to remote devices.

The in-circuit security system comprises several components combinedsecurely into a single, secure chip. As seen in FIG. 1, the primaryembodiment of the in-circuit security system 100 comprises a processor101, a memory 102, a real-time clock 105, and a random number generator108. The in-circuit security system 100 also includes a cryptographicsubsystem 104 and an identity credential verification subsystem 103.These subsystems may be logical, physical, or some combination thereof,and are described in further detail below. In typical embodiments, thein-circuit security system 100 will also contain a power source 106,such as a battery, in order to maintain power to the real-time clock105. During manufacture, the in-circuit security system 100 receives aunique, one-time programmable electronic identification code that can beread but cannot be altered or removed. The in-circuit security system100 also preferably provides multiple input/output interfaces 110-112for connection to optional internal/external components, such astransceivers 107, antennae, identity credential sensors, non-secureprocessors, etc.

The processor 101 is the main control component; it is responsible forloading and executing instructions to control the various components ofthe chip, as well as performing user-requested tasks. The memory 102 iscoupled to the processor 101. It comprises both volatile andnon-volatile components and can be used to store instructions or data,such as security settings or profiles and cryptographic keys. Theapplication of these security settings is discussed below. The real-timeclock 105 is also coupled to the processor 101 and is used to maintainan accurate time, which can be used in cryptographic signing, auditrecords, or other transactions. The real-time clock 105 may be connectedto a power source 106 in order to constantly maintain time. If thein-circuit security system 100 does not include the power source 106,the real-time clock 105 must be cognizant of power disconnects, whichmeans that it can no longer provide an accurate time.

The fourth component of the in-circuit security system 100 is a randomnumber generator 108. The random number generator 108 is used forseeding cryptographic algorithms, and may use any of established methodsfor guaranteeing sufficient randomness. The random number generator 108may be included as part of the cryptographic subsystem 104 or may be astandalone component coupled to the subsystem 104. The cryptographicsubsystem 104 is a dedicated system for performing encryption anddecryption, digital signing and digital signature verification. In oneembodiment the subsystem 104 is responsible for storing cryptographickeys in its own memory; in another, the subsystem is coupled to and usesthe main memory 102 of the in-circuit security system 100. Additionally,one primary embodiment of the invention uses a cryptographicacceleration chip or component as the cryptographic subsystem 104.Alternative embodiments are coupled to and use the main processor 101 asthe cryptographic engine.

The identity credential verification subsystem 103 is used to determinethe identity of an individual attempting to use the in-circuit securitysystem 100 and identify his associated security privileges. The identitycredential verification subsystem 103 performs identity credentialacquisition, analysis, storage and matching. In the primary embodimentof the invention, the identity credential verification subsystem 103uses digital representations of fingerprints as the identity credential.In this embodiment the identity credential verification subsystem 103performs fingerprint image acquisition, and template generation,storage, and matching. The identity credential verification subsystem103 may use the main processor 101 of the in-circuit security system 100for credential processing actions or may use its own specializedprocessor. Similarly, it may employ its own memory for credentialstorage or use the main memory 102 of the in-circuit security system100. The in-circuit security system 100 provides one or more connections110 to external components for credential sensing, such as a fingerprintsensor.

The in-circuit security system 100 incorporates an interface 112 to atransceiver 107, antenna, wire, or other remote communication devicethat is coupled to the processor 101. This component is used fortransmission of data from one device to another. All sensitive data thatis to be transmitted from the in-circuit security system 100 can beencrypted using the cryptographic subsystem 104, so it is not necessaryto place a transceiver 107 within the secure boundaries of thein-circuit security system 100. However, in some embodiments it mayprove to be convenient to incorporate the transceiver 107 into the chip.In these embodiments the interface 112 would be from the transceiver toan antenna, wire, or other communication device. In a primary embodimentof the invention, the transmission technology is radio-frequencyidentification (RFID), such as the ISO 14443 A/B or 15693 standards. Inanother embodiment the in-circuit security system 100 uses Bluetooth orinfrared technology. Other embodiments provide a combination of thesetechnologies or others. In alternative embodiments, it may be useful touse a wired technology, such as a serial or USB connection. Thein-circuit security system 100 preferably provides external connections112 for requisite connectors, cables or antennae.

The authentication of individuals allows the in-circuit security system100 to associate an individual with specific security privileges withinthe system. For example, one user may be enrolled and identified as atypical user with no ability to reset the system 100, while an alternateuser may be identified as an administrator with that ability.Additionally, the in-circuit security system 100 may be programmed toperform a variety of both temporary and permanent responses to securityevents. For example, a specified number of access denials within aparticular time interval may cause the in-circuit security system 100 tosuspend all actions or halt the real-time clock 105 until reset by anenrolled administrator. Alternatively, an attempt to crack open the caseof the chip housing the in-circuit security system 100 may result inpermanent erasure of memory 102, or destruction of other components. Thein-circuit security system 100 may also be programmed to allow anenrolled individual to directly disable or destroy components.

As described above, the in-circuit security system 100 is combined intoone secured chip with three major interfaces: an interface to acredential sensing mechanism, such as a fingerprint sensor; an interfaceto peripheral components, such as non-secure processors oruser-interface devices; and an interface to a transceiver or antenna forremote communications. Other interfaces are strictly prevented. The chipmay use one or more physical security measures to prevent informationeavesdropping. These obfuscation techniques include use of “potting”,oxygen-reactive layers, photo-sensors, Hall effect sensors, and circuitsthat monitor clock frequency and/or reset frequency.

The system 100 may additionally perform algorithmic analysis ofinterface traffic. For example, fingerprint images received from afingerprint sensor may be analyzed by the identity credentialverification subsystem 103; if the identity credential verificationsubsystem 103 repeatedly receives the exact same bit patternrepresentation of fingerprints, it is possible that someone isdeliberately placing that bit pattern on the interface. Similarly, ifthe identity credential verification subsystem 103 receives bit patternsthat are an exact rotation or other permutation of a previously receivedimage, again someone may be altering the contents of the interface.

The in-circuit security system can be used as a standalone component forsecurity applications or as one of multiple components within anelectronic device. In one use of the invention, a handheld computer isequipped with the in-circuit security system 100, as seen in FIG. 2. Thecomputer further comprises a display 213, a keypad 214, a non-secureprocessor 201 and memory 202, and a fingerprint sensor 203.Additionally, for embodiments in which the in-circuit security system100 includes a transceiver 107 that uses cellular wireless technology,the handheld computer also incorporates an antenna 204.

The primary user of the handheld computer enrolls a fingerprint, adigital certificate, and an associated private key into the in-circuitsecurity system 100. The fingerprint is stored in the identitycredential verification subsystem 103 and is used to authorize use ofthe private key associated with the digital certificate. The digitalcertificate may be stored in the cryptographic subsystem 104 or the mainmemory 102 of the in-circuit security system 100.

The individual typically uses the handheld computer to transmit andreceive e-mail. He requires the in-circuit security system 100 todigitally sign his e-mail, which requires accessing the stored privatekey associated with his fingerprint. He selects his e-mail program, andtypes an e-mail for transmission using the keypad 214. The keypad 214 iscoupled to the processor 201, which receives the data and creates anappropriate message packet for transmission. Once created, the messagepacket is sent to the in-circuit security system 100 for furtherprocessing.

The processor 101 of the in-circuit security system 100 receives themessage packet and analyzes the established security settings fortransmission of e-mail. Because the in-circuit security system 100 isconfigured to require digital signing of e-mail prior to transmission,the individual must first authenticate his fingerprint to the identitycredential verification subsystem 103. The biometric authentication isrequired to prevent unauthorized users from encrypting e-mail with aprivate key that is not theirs. The processor 101 signals the identitycredential verification subsystem 103 to wait for a new fingerprintsample from the fingerprint sensor 203, and signals the non-secureprocessor 201 to provide a visual prompt to the user on the display 213.After the user places his finger on the fingerprint sensor 203 it sendsthe new fingerprint image to the identity credential verificationsubsystem 103. The identity credential verification subsystem 103analyzes the image, generates a template, and compares it to theenrolled fingerprint template. If the two match, the identity credentialverification subsystem 103 sends a signal to the processor 101 that theindividual is authorized to use the stored private key.

The processor 101 now sends the e-mail message to the cryptographicsubsystem 104 and instructs the cryptographic subsystem 104 to sign themessage. This typically involves generating a hash of the message andencrypting it with the private key. The cryptographic subsystem 104 mayalso include a timestamp generated by the real-time clock, the uniquedevice identifier, or other data, prior to the hash. The cryptographicsubsystem 104 now sends the signed e-mail message back to the processor101. The processor 101, in turn, sends the signed e-mail to the cellulartransceiver 107 for transmission to a remote recipient.

In a second embodiment of the invention, the in-circuit security system100 is embedded into an electronic door locking mechanism that is usedto control access to a secure facility. As seen in FIG. 3, the systemcomprises the in-circuit security system 100 with a wired connection tothe electronic door lock 314, a fingerprint sensor 203, and a series oflight emitting diodes (LEDs) 313 that are used to provide visualfeedback to the user. Individuals access the secure facility bydemonstrating enrollment of their fingerprint into the in-circuitsecurity system 100. The security settings of the in-circuit securitysystem 100 are configured to shut down the entire locking mechanism on apre-specified number of failed attempts within a pre-specified timespan. This is example of security parameters and settings that arestored within the memory 102.

An enrolled individual wishes to enter the facility. One LED 313 glowsgreen, signaling that the fingerprint sensor 303 is ready. Theindividual places his finger on the sensor 203, which generates afingerprint image and sends it to the identity credential verificationsubsystem 103. The identity credential verification subsystem 103generates a fingerprint template and compares it to the enrolledfingerprints. The new fingerprint template matches an existing template,so the identity credential verification subsystem 103 sends theindividual's unique identifier to the processor 101. The processor 101accesses the memory 102, which stores security privileges associatedwith enrolled individuals. The individual who is currently authenticatedis authorized to enter the secure facility alone, so the processor 101sends a signal to the transceiver 107 to trigger the lock 314 torelease.

Now an individual who has not been pre-enrolled into the identitycredential verification subsystem 103 attempts to enter the securefacility. The individual places his finger on the fingerprint sensor203, which sends an image of the fingerprint back to the identitycredential verification subsystem 103. The fingerprint is compared toall of the enrolled fingerprints, and no match is found because theindividual is not enrolled. The identity credential verificationsubsystem 103 records the date, time and other requisite characteristicsof the failed access attempt, and flashes a red LED 313 to show thataccess has been denied. The identity credential verification subsystem103 also notifies the appropriate process within the processor 101 thatan access failure has occurred.

The individual now tries another, un-enrolled finger. The identitycredential verification subsystem 103 records the subsequent failure,and notifies the processor 101 that there has been another failure. Whenthe number of failed attempts reaches the pre-established limit, theidentity credential verification subsystem 103 again notifies theprocessor 101 that a failure has occurred. At this point, the processor101 applies the security settings and places the electronic lockmechanism 314 in a state where it cannot be unlocked unless it is resetby a recognized authority; in a primary embodiment this would beimplemented using a “fail-secure” lock and would involve disconnecting apower source. Alternative actions can occur to put the lock 314 intothis state as necessary. The processor 101 may also put the identitycredential verification subsystem 103 into a state where it does notaccept new fingerprints, create images, or perform matching. As desiredby the regulator of the secure facility, the processor 101 may instructthe identity credential verification subsystem 103 to delete anyenrolled fingerprint images. These are all examples of programmablesecurity settings.

FIGS. 4-5 depict embodiments of a biometric personal identificationdevice (BPID) for remoted controlled applications.

Necessity of the BPID of the present invention:

Remote control products have been in service for decades and have becomeubiquitous for many applications. However, despite the many successfulapplications for saving time, steps, and effort, there are only limitedexamples among remote control products and remote control communicationsystems that demonstrate the capacity to provide security to remotecontrol applications that need or could be improved by security.

Moreover, at the time of this writing, the inventors have found fewexisting examples in the arts relating to “remote control” intellectualproperty or to “remote-controlled products and applications”, whereprivacy concerns are simultaneously addressed along with security andauthentication concerns. Notwithstanding, there are many existing andpotential remote control applications where privacy and security, userauthentication, user auditing, and user monitoring, concerns abound.Unsurprisingly, latent demand exists for appropriate existing andpotential applications. The marketplace is ready for privacy andsecurity oriented remote controller devices and associatedremote-controlled products and applications, despite the shortage ofapplicable technology prior to the emergence of the present inventions.

More specifically, latent demand exists for apparatuses, methods, andsystems capable of monitoring, auditing, and enforcing differentprivilege levels of authorized usage for a remote control apparatus andcorresponding different privilege levels of authorized remote control ofremote-controlled resources, e.g., entertainment resources, pollingresources, testing resources, interactive or user response-orientedresources, and other resources and assets including remote controlledmachinery, etc. Typical examples of potential products and applicationsfor which latent demand exists where differentiable privacy- andsecurity-oriented remote control transmitter and/or transceiverapparatuses are appropriate include:

-   -   Entertainment Applications, most notably, conventional TV and/or        PC control applications such as parental control, Nielsen sweep        analysis, etc.; cable television (CATV) applications including        “set-top box” control applications including parental control        and Nielsen sweeps, access to premium services, access to        portable and mobile subscription services, access to        bi-directional interactive applications such as multi-player        leisure game services, leisure game show inputs, etc.;    -   Remote Polling, Voting, and Testing Applications, where        differentiable remote control transmitters and transceivers can        be used to register, verify, and log in—and where applicable,        continuously verify—proven single instances of distinct, unique,        authenticated voters' votes, or responders' voting responses to        polling application choices, or test subjects' responses to test        questions;    -   Educational Services, such as unidirectional and bi-directional        “remote learning” content control applications, including        “Interactive Learning” applications, including continuously        verifiable, preauthorized testing services and applications;    -   Military, Government, and Law Enforcement Services, e.g.,        “Soldier of the Future” products.

Everything considered, there is a definite need in the art to provideconsolidated security, and privacy features into remote controlapparatuses and remote controlled systems. There is also a definite needin the art to provide anonymity features, where applicable andappropriate, into remote control apparatuses and remote controlledsystems. While prior art inventors have addressed security concerns to acertain extent, and while a few inventors have addressed privacy andsecurity concerns together, no prior art or products have addressedprivacy and security in the flexible and robust apparatuses, methods,and systems of the present BPID. Several examples of prior artaddressing privacy and/or security follow below.

Accordingly, it is a primary object of the BPID disclosed herein, toprovide a privacy- and security-oriented remote controller apparatus,method, and system for privately and securely controlling a variety ofremotely controllable machinery, including (but not limited to)televisions, personal computers, set-top control terminals, etc.

It is another primary object to provide a privacy- and security-orientedremote control apparatus, method, and system for cross-platform andcross-application mobility and portability, where preauthorized,enrolled users can freely carry their privileges from one location toanother to control the same, similar, and/or different remotelycontrolled equipment.

It is another primary object, to provide an apparatus, method andsystem, which taken together, provide means for absolute personalidentity authentication for individuals wishing to remotely controlaccess-protected, restricted, metered, monitored resources, assets, andservices.

Another object of the BPID is to enable service providers to monitor,audit, and track the activity of users accessing, or attempting toaccess, restricted and protected equipment and services by means ofremote controllers.

Another object of the present BPID is to match physical persons todiscrete devices such that only authorized individuals are associatedwith each device and so that only authorized individuals can effectuateaccess with a remote controller. A related object of the BPID is tocreate multiple levels of privilege and access for a plurality of usersaccessing a plurality of remote control apparatuses to control aplurality of remote-controlled devices and applications.

It is another primary object of the BPID to decentralize authenticationand verification services such that the user apparatuses serve asautonomous authentication devices and can identify persons and theirassigned user privileges without requiring remote access to a centralsystem or to a centralized authentication database.

The BPIDs disclosed herein provide privacy- and security-orientedidentity credential verification devices (in prior art applications ofthe instant inventors) and privacy- and security oriented remote controlapparatuses, subsystem apparatuses, methods, and systems adapted forauthenticating and verifying prospective remote control apparatus users(in this application).

The most basic user-operated devices of prior art inventions to theinstant inventors are simply identity credential verification devices.While such devices excel at identifying prospective users thereof, bymeans of re-verifying a submitted biometric credential such as afingerprint, they do not effectuate remote control events in remotelycontrolled machinery.

Prospective users of remote controllers of the present BPID must verifytheir pre-enrolled identities prior to accessing their preauthorized,assigned privileges to their remote control devices, prior to beingauthorized and granted access to their remote control devices, andsubsequently, to compatible remote-controlled resources equippedaccording to teachings of the present BPID. User-operated apparatuses ofthe BPID are privacy- and security oriented, remote control apparatuses.The authenticated and verified, user-operated remote control apparatusesof the present BPID either (1) include an identity credentialverification subsystem (ICVS) module for verifying a prospective user'spre-enrolled status and privileges, and/or (2) interface with either anindependent, proximate, ICVS, and/or (3) an ICVS module embedded into aremote-controlled resource. Such a remote-controlled resource can onlybe operated by properly enabled remote controllers, which are accessibleand operable only by pre-enrolled, preauthorized users who arere-authenticated and re-verified prior to each operational event.

The methods of the BPID comprise steps, procedures, policies foraccomplishing and enforcing pre-enrollment and subsequent authenticationof preauthorized users. The systems of the BPID embed an ICVS subsystemin the remote control apparatus of the BPID and/or implement an ICVSsystem external and proximate to the remote control apparatus by meansof a wireless interactive communication link, such as a Bluetoothconnection.

The platform, fundamental apparatus of the invention comprises the BPIDas described above, plus one or more implementations of enablingapplication software. This allows the device to function as a remotecontrol for apparatuses including (but not limited to) televisions,VCRs, DVD players and stereo systems, radios, etc., which can bepre-programmed to respond only to pre-determined, authorized remotecontrol apparatuses. The remote control apparatuses of the presentinvention including platform BPID functionality, can be embodied aseither transmitters—using any appropriate transmission media, including,but not limited to, infrared and RF—or, in more advanced applicationswith additional privacy and security features—as transceivers.Optionally, some or all of the remotely controlled functionality of thepresent invention can be alternatively embodied into interfacecontroller devices such as “set-top controllers” or “set-top boxes”,rather than solely in one or more remotely controlled devices themselvessuch as televisions, DVD players and stereo systems, radios, etc.

Notwithstanding, in most embodiments there is no need for external“central site interaction”, nor a need for elaborate, expensive, ortechnically laborious centralized interactions or complex, non-proximatesignal processing chains.

The ICVS subsystem apparatuses of the invention include (1) modular,factory-installed components for implementing ICVS in a remote controlapparatus of the present invention; (2) standalone and independentICVS-class apparatuses, i.e., either (2a) multi-functional set-top boxesor (2b) single function ICVS boxes accessible by RF or other viablecommunications standard; and (3) customer-installable modules to upgradeplatform devices such as to implement advanced features, or to upgradeexisting features.

To implement privacy and security features into remote controllers ofthe present invention, both a factory-installed, embedded core ICVSsubsystem apparatus and a user-installed modular core subsystemapparatus are disclosed; either or both can be installed in the remotecontrol of the present invention. Both installed and/or modularlyinstallable subsystem apparatuses can enable and perform authenticationof pre-authorized users. ICVS-borne, “user authentication functions”implement not only basic user authentication in a remote controller, butcan also permit multiple levels of privileged access toremote-controlled resources as well as portable privileges for accessingremote-controlled resources and their applications, services, etc.

The user authentication process is further performed in a mannersupportive of the individual's right to privacy, in accord with theapplication accessed and the stipulations of the remote-controlledresource or application owner, if any. The preferred embodiment of theinvention stores a pre-enrolled biometric template of the authorizedindividual within tamper-resistant memory within the remote controlapparatus. The template is never authorized to leave the device, and is“zeroed-out” upon unauthorized attempted physical or logical access.When an individual wishes to access controlled resources, he/she submitsanother biometric template through a reader on the device. If thesubmitted identity credential matches the template stored therein, theuser is granted access to operate the remote controller and themachinery it controls.

One primary preferred embodiment of the remote controller apparatus ofthe present invention is a transmitter adapted for generating andtransmitting a basic, “standalone”, simplex, one-way “identitycredential verification signal” transmission from a user's remotecontrol device to a target device after successful initial userauthentication. This first primary embodiment performs the userauthentication process, displays of the result in the form of a user“identity credential verification display”, generates and transmits asappropriate, a user “identity credential verification signal”, and alsotransmits user control signals to the remotely controlled device.

A second primary preferred embodiment of the remote controller apparatuscomprises a transceiver version. The transceiver version is capable ofperforming standalone user authentication, but is also capable ofcommunicating with an external identity credential verification system(ICVS) and/or other external device or transceiver, based on how it isconfigured at manufacturing and/or based on how it was optioned by auser and a system administrator after deployment. As described in theBPID discussion, the user-operated remote control transceiver may use awireless technology ranging from IrDA to RF, or optionally, may use awired communications medium and/or protocol. In Willis of interactivity,this second preferred embodiment is capable of receiving a plurality ofsignals from other remote control user apparatuses and/or from external,remote-controlled apparatuses, appropriately equipped. Depending on thesituation, a variety of different signal types may be transmitted andreceived by appropriately equipped user remote control apparatuses andremotely controlled interface devices including set-top boxes and/orother appropriately equipped transceiver apparatuses.

For purposes of illustration, the apparatus of the invention will bedescribed as using a fingerprint for the identity credentialverification method and Bluetooth RF wireless technology as thecommunication media. However, a variety of modifications andsubstitutions may be made thereto without departing from the spirit andscope of the inventions. Thus, by way of example, the invention is notlimited to the use of any specific communications architecture orsystem, or specific method or type of ICVS.

Theory of Operation

In one operational embodiment, the remote control apparatus of theinvention is used in conjunction with a television, a television set-topbox, and a premium cable channel such as HBO, Cinemax or Showtime. Theremote control is issued to the paying customer and is enrolled with hisfingerprint upon application for the premium service. The enrollmentprocess may take place within the cable company's office, online, orthrough another company-approved method. As per traditional methods, thecable company will also supply the set-top box in order to provideaccess to the premium cable channel. In this embodiment of theinvention, the set-top box is adapted to allow access to the premiumchannel only upon receipt of an encrypted authorization signal from theauthorized remote control device, from among a “premium class” of remotecontrol devices. This further requires that the set-top box is assignedeither a public/private key pair or a symmetric key, and that itreceives the public key of the authorized remote control apparatus.

When the individual wishes to access the channel, he selects the remotecontrol function within his BPID, and selects the premium access channelthat he wishes to watch. The device will prompt the individual toauthenticate himself. Upon successful verification, the device searchesthe memory to verify that the authenticated individual owns thenecessary privileges to watch the channel. If the individual isaccepted, the device creates a message comprising the selected serviceand an authorization notice, and signs it with the device private key.The device further encrypts the message with either a shared symmetrickey or the public key of the set-top box before message transmission.Successful decryption and signature verification within the set-top boxwill enable the television to display the premium channel. It isimportant to note that the set-top box functionality, as described, maybe implemented within the television itself in order to reduce thephysical equipment required by the system.

An important ramification of a decentralized architecture, as describedabove, is the portability of users' privileges. One individual, Alice,may have a subscription to a premium cable channel, while anotherindividual, Bob, may not. Alice and Bob would like to watch a movie onthe premium channel together, but for practical reasons cannot watch themovie at Alice's home. In the traditional implementation of premiumservices, Alice and Bob would not be able to watch the movie at Bob'shome, as he does not subscribe to the service. With the presentinvention, however, Alice can use her remote control apparatus to takeher privileges to Bob's house if he has an appropriate set-top box ortelevision, and they can watch the movie together.

In another primary embodiment of the invention, again an individualpurchases rights to a premium cable channel, and the cable providerissues and enrolls the individual into one device. However, it may beconvenient for the individual, or the individual's family, to havemultiple remote control devices. In this situation, the individual mayuse the pre-enrolled device to enroll subsequent devices, creating amaster-slave relationship.

Another embodiment of the invention creates a “parental control” methodfor limiting individuals' access to programs, movies and channels thathave comment deemed unsuitable. The owner of the remote control devicemay enroll multiple persons—and their corresponding fingerprints—intohis or an alternate remote control device, along with authorization andprivilege levels. Similarly to the request for premium cable services asdescribed above, persons wishing to watch particular television programsmust authenticate to the remote control device. The remote controlprocesses the authorization, and transmits an authorization or denialsignal appropriately to the television or set-top box. This inventioncan be extended to cover the operation of VCRs and DVD players; DVDs,for example, can be encoded to include multiple versions of a moviesatisfying multiple Motion Picture Association of America (MPAA)ratings.

In another primary embodiment of the invention, users can performpurchasing and other financial transactions through their televisionand/or set-top box. In recent years we have seen a proliferation of homeshopping television networks and infomercials, in which individuals viewpurchasable items on their televisions. If the individual would like toplace an order, he typically calls a telephone number provided at thebottom of the television screen, and supplies a credit card number forpayment. This method of shopping is convenient for many users, but lackspersonal security because it simply requires possession of a credit cardnumber, without ensuring ownership of the number. In this embodiment ofthe invention, persons can still order items through their televisions,yet making use of the security benefits of the remote control apparatus.Because the BPID is designed to store a variety of account information,individuals can store credit card numbers and other financial data forthis application.

When the viewer selects a home shopping channel, the remote control willregister an option for purchasing. If the individual decides to purchasean item, he simply selects the purchasing option on the remote control,and enters the item number and price. He will then select one of theenrolled accounts to pay for the item. This will prompt the user toauthenticate himself/herself to the device. If the user is authenticatedsuccessfully, the device will sign the message and transmit theappropriate credentials to the television or set-top box. Theinformation can then be transmitted via Internet, phone or otherconnective medium to pay the seller.

The operational embodiments as described above are also suited foraccessing “content distribution” subscription services withinstereophonic audio systems in homes, offices and automobiles, such asthe emerging XM radio service, pay-per-view television services, andother types of subscription services that use remote control devices.

For example, the various features and characteristics of the BPIDinteractive system may include:

1) A private and secure remote control apparatus adapted forauthenticating and for matching at least one user identity credential ofa prospective user with at least one stored pre-enrolled user identitycredential of at least one preauthorized user, further adapted fortransmitting user permissions and transmitting remote control signalsfor accessing and controlling remotely controlled apparatuses comprisingresources, applications, and services.

2) The private and secure remote control apparatus recited in 1, whereinthe user identity credential comprises at least one personal biometricmeans.

3) The private and secure remote control apparatus as recited in 2,wherein said personal biometric means comprise human fingerprints.

4) The private and secure remote control apparatus as recited in 2,wherein said personal biometric means comprise human handprints.

5) The private and secure remote control apparatus as recited in 2,wherein said personal biometric means comprise human voice.

6) The private and secure remote control apparatus as recited in 2,wherein said personal biometric means comprise human iris patterns.

7) The private and secure remote control apparatus as recited in 2,wherein said personal biometric means comprise human facial patterns.

8) The private and secure remote control apparatus as recited in 2,wherein said personal biometric means comprise human retinal patterns.

9) The private and secure remote control apparatus as recited in 2,wherein said personal biometric means comprise human heartbeat patterns.

10) The private and secure remote control apparatus as recited in 2,wherein said personal biometric means comprise human DNA patterns.

11) The private and secure remote control apparatus as recited in 1,further adapted as a transceiver means both for transmitting userpermissions and remote control signals and for receiving data,information, and control signals from remote-controlled apparatuses andinterface devices comprising resources, applications, services.

12) The private and secure remote control apparatus as recited in 11,wherein the user identity credential comprises at least one personalbiometric means.

13) The private and secure remote control apparatus as recited in 12,wherein said personal biometric means comprise human fingerprints.

14) The private and secure remote control apparatus as recited in 12,wherein said personal biometric means comprise human handprints.

15) The private and secure remote control apparatus as recited in 12,wherein said personal biometric means comprise human voice.

16) The private and secure remote control apparatus as recited in 12,wherein said personal biometric means comprise human iris patterns.

17) The private and secure remote control apparatus as recited in 12,wherein said personal biometric means comprise human facial patterns.

18) The private and secure remote control apparatus as recited in 12,wherein said personal biometric means comprise human retinal patterns.

19) The private and secure remote control apparatus as recited in 12,wherein said personal biometric means comprise human heartbeat patterns.

20) The private and secure remote control apparatus as recited in 12,wherein said personal biometric means comprise human DNA patterns.

21) A method for administering and distributing premium cable televisionservices comprising:

a) assigning at least one of the private and secure remote controlapparatus (of any of the preceding claims) to a pre-authorized user,

b) assigning at least one remote-controlled interface device comprisinga set-top box adapted for communicating with said remote controlapparatus assigned to a pre-authorized user,

c) providing said remote control apparatus and said remote-controlledinterface device comprising a set-top box with corresponding encryptionkeys such that the two communicate securely,

d) enrolling a pre-authorized user's personal identity credentials intosaid remote control apparatus,

e) enrolling a pre-authorized user's predetermined privileges andauthorizations into said remote control apparatus, and

f) enrolling into said remote-controlled interface device an accessprivilege list of classes of remote control apparatuses allowed toaccess premium services from said remote controlled interface devicecomprising a set-top box for controlling remote-controlled apparatusescomprising resources, applications, and services.

22) A method for accessing premium cable television service comprising:

a) selecting the service using the secure remote control apparatus asrecited in any of 1-20,

b) authenticating the user to said secure remote control apparatus,

c) verifying within said secure remote control apparatus that the userhas proper privileges to access the service,

d) creating within said secure remote control apparatus a messagecomprising the authorization and a digital signature,

e) encrypting within said secure remote control apparatus theauthorization message, using encryption keys distributed at enrollment,

f) transmission from said secure remote control apparatus to apre-distributed remote-controlled interface device comprising a set-topbox,

g) decrypting within said interface device comprising a set-top box,

h) verification of digital signature within said interface devicecomprising a set-top box, and

i) verification of user authorization.

23) A method for establishing restricted access for subsequent usersusing the secure and private remote control apparatus as recited in anyof 1-20, comprising:

a) establishing restricted access and privilege levels for subsequentusers,

b) demonstrating ownership of said device by verifying personalidentity,

c) enrolling subsequent users' identity credentials within said device,and

d) enrolling subsequent users' predetermined privileges andauthorizations into said remote control apparatus.

24) An identity credential verification system for matching andauthenticating at least one submitted identity credential of aprospective user, wherein said submitted identity credential is matchedand verified by said identity credential verification system,comprising:

a) at least one remote control user,

b) a remote control apparatus platform,

c) an onboard identity credential verification system embedded into saidremote control apparatus platform including an identity credentialverification apparatus means for initially enrolling said at least oneuser by means of storing at least one enrolled user identity credentialand for subsequently matching said at least one user identity credentialprior to authorizing and granting access to said remote controllerapparatus platform to said at least one remote control user.

While the description above refers to particular embodiments of thepresent invention, it will be understood that many modifications may bemade without departing from the spirit thereof. The accompanying claimsare intended to cover such modifications as would fall within the truescope and spirit of the present invention.

1. (canceled)
 2. A method comprising: at a first electronic devicecomprising a transmitter, a secure processor, a secure memory, and oneor more biometric sensors, wherein the first electronic device isconfigured to communicate securely via the transmitter with a secondelectronic device that is separate from the first electronic device:receiving first biometric information of a user via the one or morebiometric sensors; in response to receiving the first biometricinformation, comparing, via the secure processor, the first biometricinformation to second biometric information stored in the secure memory;determining, based on the comparison, whether the user meetsauthentication criteria; in accordance with a determination that theuser meets authentication criteria: generating a verification signalthat, when received by the second electronic device, grants access tooperate the second electronic device, and transmitting the verificationsignal to the second electronic device; and in accordance with adetermination that the user does not meet the authentication criteria,forgoing generating the verification signal and transmitting theverification signal to the second electronic device.
 3. The method ofclaim 2, wherein the second biometric information cannot be removed fromthe first electronic device.
 4. The method of claim 2, wherein thesecure memory comprises a tamper-resistant memory, and the secondbiometric information is zeroed-out upon unauthorized attempted access.5. The method of claim 2, wherein the second biometric informationcomprises a biometric template, and the user meets authenticationcriteria when the first biometric information is consistent with thebiometric template.
 6. The method of claim 2, further comprising: inaccordance with a determination that the user meets authenticationcriteria, providing access to a resource of the second electronic deviceto the user.
 7. The method of claim 2, wherein the second electronicdevice is an interface device and the access provided to the user inaccordance with the determination that the user meets authenticationcriteria includes access to a service and an application on theinterface device.
 8. The method of claim 2, further comprising:receiving a signal from the second electronic device after providing theverification signal to the second electronic device.
 9. The method ofclaim 2, wherein granting access to operate the second electronic devicecomprises granting access to media content via the second device. 10.The method of claim 9, wherein the access to media content comprisesaccess to a premium subscription service.
 11. The method of claim 2,wherein granting access to operate the second electronic devicecomprises granting access to educational content via the second device.12. The method of claim 11, wherein the educational content comprisesone or more of a remote learning application, a testing service, and atesting application.
 13. The method of claim 2, wherein the secondelectronic device is locked by an electronic lock mechanism, andgranting access to operate the second electronic device comprisesunlocking the second electronic device.
 14. The method of claim 2,wherein the verification signal, when received by the second electronicdevice, permits pre-enrolling a third electronic device with access tooperate the second electronic device.
 15. The method of claim 14,wherein pre-enrolling the third electronic device creates a master-slaverelationship between the first electronic device and the thirdelectronic device.
 16. A method comprising: at a first electronic devicecomprising a transmitter, a secure processor, a secure memory, and oneor more biometric sensors, wherein the first electronic device isconfigured to communicate securely via the transmitter with a secondelectronic device that is separate from the first electronic device:receiving, at the first electronic device, a request to purchase an itemvia a shopping service; receiving, at the first electronic device, aselection of a purchasing account; receiving first biometric informationof a user via the one or more biometric sensors; in response toreceiving the first biometric information, comparing, via the secureprocessor, the first biometric information to second biometricinformation stored in the secure memory; determining, based on thecomparison, whether the user meets authentication criteria; inaccordance with a determination that the user meets authenticationcriteria: transmitting to the second electronic device credentials that,when received by the second electronic device, causes a seller of theitem to be paid via the purchasing account; and in accordance with adetermination that the user does not meet the authentication criteria,forgoing transmitting the credentials to the second electronic device.17. The method of claim 16, wherein the shopping service is accessiblevia the second electronic device.
 18. A first electronic devicecomprising: a transmitter; one or more processors, the one or moreprocessors comprising a secure processor; one or more memories, the oneor more memories comprising a secure memory; one or more biometricsensors; and one or more programs, wherein the one or more programs arestored in the one or more memories and are configured to be executed bythe one or more processors, the one or more programs includinginstructions, which when executed by the one or more processors, causethe first electronic device to: receive first biometric information of auser via the one or more biometric sensors; in response to receiving thefirst biometric information, compare, via the secure processor, thefirst biometric information to second biometric information stored inthe secure memory; determine, based on the comparison, whether the usermeets authentication criteria; in accordance with a determination thatthe user meets authentication criteria: generate a verification signalthat, when received by a second electronic device separate from thefirst electronic device, grants access to operate the second electronicdevice, and transmit the verification signal to the second electronicdevice; and in accordance with a determination that the user does notmeet the authentication criteria, forgo generating the verificationsignal and transmitting the verification signal to the second electronicdevice, wherein the first electronic device is configured to communicatesecurely via the transmitter with the second electronic device.
 19. Anon-transitory computer readable storage medium storing one or moreprograms, the one or more programs comprising instructions, which whenexecuted by a first electronic device comprising a transmitter, a secureprocessor, a secure memory, and one or more biometric sensors, the firstelectronic device configured to communicate securely via the transmitterwith a second electronic device that is separate from the firstelectronic device, cause the first electronic device to: receive firstbiometric information of a user via the one or more biometric sensors;in response to receiving the first biometric information, compare, viathe secure processor, the first biometric information to secondbiometric information stored in the secure memory; determine, based onthe comparison, whether the user meets authentication criteria; inaccordance with a determination that the user meets authenticationcriteria: generate a verification signal that, when received by thesecond electronic device, grants access to operate the second electronicdevice, and transmit the verification signal to the second electronicdevice; and in accordance with a determination that the user does notmeet the authentication criteria, forgo generating the verificationsignal and transmitting the verification signal to the second electronicdevice.